« Zero day for you? | Main | Freedom to Tinker and Sony DRM »
February 15, 2006
The new face of phishing
One of the basic aspects of security is trust. Trust is a difficult thing to quantify, to assign, and to validate. This has not stopped the Internet from being built relying on trusted authorities to tell us, the great unwashed masses, who is a scammer and who is for real.
So on that note, some phishers have taken a step forward in sophistication. According to several articles (one of which is here: http://www.boingboing.net/2006/02/14/phishers_trick_inter.html ), a phishing site was erected that not only looked like the legitimate bank, but it had an SSL certificate issued from Geotrust, and assurance from Choicepoint that they were the genuine article.
What do we do if even jaded security professionals can get duped, and the mechanisms that are in place to assure individuals about who we should trust and who we should shun are compromised?
I do think that incidents such as this will raise awareness in the trusted authority community that scammers are now actively targeting them. While I love that SSL certificates are no where near the price they were five years ago, I do believe that improvements in fraud detection from the cert authorities will enter an arms race similar to that of the malware/anti-malware dynamic.